Why our credit cards keep getting hacked

USA TODAY - After the huge Target breach of 2013, you’d have thought retail companies would have figured out how to protect their cash register systems from malware that attempts to steal customers' data.

Then came Home Depot. Then Neiman Marcus. Then Wendy's. In the past few months, Chipotle, Arby’s and Kmart were all hit. Why are these attacks still happening?

Time and money, say experts. It takes time for companies to rebuild point of sale systems more securely and shift from magnetic stripe credit and debit cards to more secure chip cards. They need money to hire tech staff to secure those networks, money to buy software to do the securing and money to buy new, encrypted point-of-sale machines.

“It’s expensive and complicated to get systems to up the point they’re really hardened against these kinds of attacks,” said John Miller, manager of threat intelligence for FireEye, a large cyber security company.

Proportionally, attacks on point-of-sale systems (as modern cash register systems are called) are down, according to the 2017 Data Breach Investigations Report by Verizon. This year they've made up just 6.7% of overall breaches tracked by the company, down from a high of 45.4% in 2011.

Even so, there are still lots of these thefts, in which criminals insert malicious software into a company's point-of-sale (POS) system. The malware surreptitiously records credit and debit card information when customers swipe them through payment terminals. It later sends the card information to the thieves, who sell it on the Internet underground, known as the dark web.

These breaches continue to cause retailers and their customers headaches. In 2016, each stolen record cost retailers $172 to deal with, according to a study commissioned by IBM. In May, Target agreed to pay $18.5 million to resolve state investigations into the attack that affected more than 41 million of the company's customer payment card accounts.

One problem is that many retail companies are slow to install software patches, even for known security problems, because they fear the patches might disable their POS software or terminals, causing them to miss sales.

That inconvenience is compounded by the increased frequency of these recommended security updates. While once companies might have gotten quarterly software updates, today they’re hit with a constant blizzard of them.

“Now we’re agile, we’re releasing something every week, or every day or even every hour,” said Ryan O’Leary, vice president of the threat research center at WhiteHat Security in Santa Clara, Calif.

While no system is 100% secure, most can be made much safer than they are. But not all retailers take the necessary steps. In fact, some wait to install known, but expensive, protective measures until they're hacked.

“One they’re in the headlines, that’s when they invest the money, no matter how much pain there is,” said Ryan Olson, a threat intelligence director at cyber security firm Palo Alto Networks.

Consumers can try to protect themselves by looking for retailers that have enabled chip-based credit and debit card use on their POS terminals. These are much more secure than magnetic stripe cards.

When a customer swipes a card with a magnetic stripe, the POS machine sees the credit or debit card number, the card’s expiration date and the three or four-digit security code off the stripe. On a chip card, that security code is encoded as a dynamic cryptogram that changes each time the card is used.

This means stolen stripe card information is much more valuable to thieves, as it can be sold to create fake cards or used online. Without the security code — which the chip reader masks — the stolen credit card number and expiration date are worth much less on the dark web where thieves typically sell their stolen card data.

Unfortunately, only 44% of retail storefronts have chip card readers enabled on their POS systems, so customers still have to swipe the card's stripe, even if it has a chip, said Mark Nelsen, a senior vice president of risk and authentication products at Visa.

As that changes, POS hacking will become less lucrative, because the information hackers can collect won’t be worth as much on the black market. Though FireEye’s Miller doesn't see cyber thieves giving up until the last possible moment.

“Criminals know there’s a shrinking window for these kinds of attacks," he said. "They make a lot of money off them, so they want to make as much as they can while they still can."